Information Security Standard
6.2 - Organization of Information Security
Mobile Devices and Teleworking
To ensure that information security is properly applied when using mobile devices and teleworking facilities.
In accordance with ISO/IEC 27002:2013(E), § 6.2, the VCCS should ensure that the protection required is commensurate with the risks that mobile devices and teleworking causes. When using mobile devices, the risks of working in an unprotected environment will be considered and appropriate protection applied. In the case of teleworking the VCCS will apply protection to the teleworking site (location) and ensure that suitable arrangements are in place for this way of working.
This Mobile Devices and Teleworking
standard is applicable to all offices and colleges of the Virginia Community College System (VCCS).
The requirements defined by this standard determine the actions and steps that the VCCS will take to ensure that work performed either with mobile devices or by teleworking will be protected commensurate with the risks these specific methods of working create.
Requirement: §6.2.1 Mobile Devices
A formal policy must be in place, and appropriate security measures must be adopted to protect against the risk of using mobile devices. Mobile devices are any Commonwealth of Virginia owned devices used for accessing or processing VCCS data that can be transported off-premises or are otherwise used for the purpose of teleworking at an off-premises location. These include desktop computers, laptop computers, tablets, cell phones, PDA’s and USB storage devices.
The VCCS offices and colleges provide Commonwealth of Virginia (COV) owned mobile devices in order to improve the productivity, flexibility, responsiveness and effectiveness of its operations. The VCCS offices and colleges will take the following steps for the protection of COV mobile devices:
- A current assessment of the risks of working with mobile devices in unprotected environments must be performed by the VCCS office or college authorizing the use of such devices. This risk assessment will include mitigating controls to allow for a mobile devices to be connected to the VCCS office or college network environment and to ensure that business information is not compromised;
- Mobile devices must be physically protected against theft when left unattended in cars and other forms of transport, in hotel rooms, in conference centers, and/or other meeting places with public access;
- Mobile devices which contain important, sensitive, and/or critical business information must not be left unattended and where possible, will be locked away, or special locks will be used to secure the equipment.
- Mobile devices which store important, sensitive, and/or critical business information or are used for elevated privilege access must utilize encrypted storage; must be backed up on a regular basis in accordance with VCCS IT Security Standard 12.3 - Backup §12.3.1 Information Backup; and must use current anti-virus protection software when applicable;
- Users of mobile devices will be trained to recognize and avoid social engineering tactics such as shoulder surfing (overlooking by unauthorized persons) as well as additional risks resulting from the use of mobile devices in public areas;
Requirement: §6.2.2 Teleworking
- Mobile devices used for remote access require remote access via VPN or VDI and two factor authentication when applicable – Refer to VCCS Information Security Standard 11.2 Equipment Security §11.2.6 Security of Equipment Off-Premises.
A policy, operational plans and procedures must be developed and implemented for teleworking activities.
The VCCS offices and colleges will authorize teleworking activities if satisfied that appropriate security arrangements and controls are in place, and that these comply with the VCCS’s security policy.
In order to satisfy this security arrangements and controls, suitable protection of the teleworking site should be in place to protect against; the theft of equipment and information; the unauthorized disclosure of information; and unauthorized remote access to the VCCS’s internal systems or misuse of facilities.
When considering approving a request for teleworking, all VCCS offices and colleges will consider:
- physical security measures at the teleworking site, including building and local environment;
- the proposed physical teleworking environment;
- the communications security requirements;
- the threat of unauthorized access to information or resources from other persons using the accommodation (e.g., family and friends);
- the use of home networks and requirements or restrictions on the configuration of wireless network services;
- policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment;
- access to privately owned equipment (to check the security of the machine or during an investigation), which may be prevented by legislation;
- software licensing agreements that are such that the VCCS may become liable for licensing for client software on workstations owned privately by employees, contractors or third part users; and
- anti-virus protection and firewall requirements.
In supporting these requirements VCCS has adopted and implemented the following related documents:
VCCS Information Security Policy
VCCS IT Security Standards:
- 4.1 Assessing Security Risks.docx
- 4.2 Treating Security Risks.docx
- 5.1 Information Security Program.docx
- 6.0 Information Security Governance and Organization.docx
- 6.1 Internal Organization.docx
- 6.2 Mobile Devices and Teleworking.docx
- 7.1 Personnel Information Security Prior to Employment.docx
- 7.2 Personnel Information Security During Employment.docx
- 7.3 Personnel Information Security Termination or Change of Employment.docx
- 8.1 Responsibility for Assets.docx
- 8.2 Information Classification.docx
- 8.3 Media Handling.docx
- 9.1 Business Requirement for Access Control.docx
- 9.2 User Access Management.docx
- 9.3 User Responsibilities.docx
- 9.4 Operating System Access Control.docx
- 10.1 Cryptographic Controls.docx
- 11.1 Secure Areas.docx
- 11.2 Equipment Security.docx
- 12.1 Operational Procedures and Responsibilities.docx
- 12.2 Protection Against Malicious and Mobile Code.docx
- 12.3 Backup.docx
- 12.4 Monitoring.docx
- 12.5 Control of Operational Software.docx
- 12.6 Technical Vulnerability Management.docx
- 12.7 Information Systems Audit Considerations.docx
- 13.1 Network Access Control.docx
- 13.2 Exchange of Information.docx
- 14.1 Security Requirements of Information Systems.docx
- 14.2 Security in Development and Support Processes.docx
- 15.1 Supplier Relationships.docx
- 15.2 Third Party Service Delivery Management.docx
- 16.1 Management of Information Security Incidents and Improvements.docx
- 17.1 InfoSec Aspects of Business Continuity of Business Continuity Management.docx
- 17.2 Redundancies.docx
- 18.1 Compliance with Legal Requirements.docx
- 18.2 Information Security Reviews.docx
||List of Changes
||Revised draft to final
||Formatting changes, added revision page. Changed “should” to “must utilize encrypted hard drives” in 11.7.1
||Formatting changes, revised the Standard Clause, the Applicability Clause and the requirement Mobile Devices - §11.7.1 to clarify that only Commonwealth of Virginia owned mobile devices are governed by this standard and that that encryption for hard drives is only required for mobile devices that store sensitive data or are used for elevated privilege access.
||ISO 27000 Framework 2013 Update - Format Changes, Updated References, Updated Related Documents
||VCCS Technology Council
||VCCS Technology Council